**Name of the Vulnerable Software and Affected Versions:**

Fortinet FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12

**Description:**

This vulnerability is an authentication bypass that allows a remote attacker to gain super-admin privileges by sending specially crafted HTTP requests to the Node.js websocket module. The vulnerability has been actively exploited in the wild, with reports indicating exploitation as early as November 2024. Approximately 50,000 Fortinet devices were reported as vulnerable as of January 22, 2025. Exploitation can lead to the creation of administrative accounts and potential lateral movement within a network. The vulnerability is actively being discussed on underground forums, with exploit code available. Ransomware groups, including RansomHub, have been observed leveraging this vulnerability for initial access.

**Recommendations:**

FortiOS versions prior to 7.0.17 and FortiProxy versions prior to 7.2.13 are vulnerable. Upgrade to a supported version to address this issue. Review firewall policies and VPN group memberships for any unauthorized changes. Monitor logs for suspicious activity, including unusual admin account access and requests to the `/api/v2/` endpoint. Consider disabling the vulnerable Node.js websocket module as a temporary workaround.